Shellcode - File Reader Linux x86

Learn how to develop a very small shellcode able to read the content of a file on a Linux x86 system with NASM.

Introduction

During a penetration test or a hacking competition, it is common to use already existing shellcode as the payload in the exploitation of a software vulnerability.

A file reader shellcode is generally a rather small code able to read the content of a file and to write it on the standard output. It can be useful to display the content of sensitive files such as /etc/passwd or the content of a file containing the flag during a CTF.

This shellcode development tutorial explains how to efficiently develop your own File Reader shellcode for a Linux x86 machine.

Prerequisite

To follow this tutorial, you need to run a Linux operating system. We recommend the following software and resources.Nasm to assemble the x86 code and GCC to compile the testing software.

System Call

We are going to use system calls to requests services from operating system's kernel.On the Linux kernel system calls are triggered by the interrupt vector 0x80 the instruction is int 0x80.

To code our File Reader shellcode we will use four different system calls :

0x05sys_open to get the file descriptor.

0x03sys_read to put the content of the file in a buffer.

0x04sys_write to write the content of the buffer on the Standard output.

0x01sys_exit to safely exit the program.

As you can see each system call is associated with a 1 byte number, it has to be set in the EAX register for x86 programs. Other registers can be used by system calls as parameters.

File Reader /etc/passwd Linux x86 - 48 bytes

The final code is only 48 bytes and NULL byte free. The goal was to create a very compact shellcode using some x86 optimizations and tricks.

Clear registers

The first step in the code above is to clear EAX, ECX and EDX registers.

After xor ecx, ecx the register ECX is equal to 0x00000000. Then we are using the arithmetic instruction mul ecx, it will perform an unsigned multiplication EDX:EAX = EAXECX the result is stored in the register pair EDX:EAX.This is multiplying by zero EDX:EAX = EAX0 then EAX and EDX are both equals to 0x00000000.

Open file

The second step is to open the file, we are going to use the sys_open system call.

This system call takes 3 arguments, the pathname on EBX, the flags on ECX and the mode on EDX.We are pushing the path of the file we want to open on the stack then we are putting the address of the stack in EBX so it point the pathname string.

Read file

The third step is to put the content of the file in a buffer, the system call sys_read will do the job.

This system call takes 3 arguments, the file descriptor on EBX, the buffer on ECX and the bytes to read on EDX.

Write content

The fourth step is to write the content of the buffer on the Standard output, we are going to use the sys_write system call.

This system call takes 3 arguments, a file descriptor on EBX, the buffer on ECX and the bytes to read on EDX.We are using the file descriptor 1, it is the standard output. You might want to use the file descriptor 2 to write on the standard error.

Exit program

The final step is to exit the program. It is optional, in some situations you might not want to exit. We are going to use the sys_exit system call.

This system call takes 1 argument on EBX, it's the exit code.

Testing

If you want to try the shellcode in a C program, you save the code below as test-shellcode.c and compile it with the following command.gcc -m32 -masm=intel -nostdlib -fno-stack-protector -z execstack test-shellcode.c -o test-shellcode

Conclusion

Most of the time it is pointless to develop and optimize your own shellcode because there is probably a public and much smaller one.But in some situations to do very specific actions on the target machine it's good to know a few tricks in assembly.